Security update and new features

A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:

Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)

New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.

In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.

If you have any questions or concerns, please contact us at support+security@dropbox.com. We’re committed to keeping your Dropbox safe and will continue to monitor this situation carefully.

I think it was a mistake to send the new password note to your users asking them to click on a link to enter a new password. It looks a lot like phishing (which it isn't, of course). Thanks for working hard to keep up security.

The additional security measures will be much appreciated. It's a pity that they were not implemented sooner, however. I actually suggested 2-step authentication and activity logs to Dropbox support way back in June 2011 after the last security issue caused accounts to be accessible without passwords…

i agree – i came to this blog to see if it was a valid email – thats not the best way to inform users – please make a clear blog post saying that the email is from you… i think you've just freaked out a bunch of people…

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

I share the concern over the way in which you've gone about contacting users. In addition, there was no need for me to change my password to start with (I use 1Password). Now, I have no choice but to change my password — and then update my account details on all my various devices! Much better if you'd invited your users/customers to consider if they should change their password …

I would like to add my voice to the growing list of those who dislike how this was handled.I am very security conscious, and have a personal policy of NEVER clicking a link in email. This goes doubly for unsolicited emails regarding passwords. It is simply too easy to make a malicious link look legit. I should point out, also, that I use LastPass and use a different, unique, randomly generated password for each site… so I was a little suspicious of the email, to begin with… OK, a LOT suspicious.

So, upon receiving the email (suspicion level: 9000), I first did a google search with the contents of the email as a my search term… no hits. Suspicion level: +100

Next, I visit dropbox.com, looking to see if there is a notice on the homepage. No notice. Suspicion level: +50

I attempt to log in to dropbox.com. Invalid username or password. Suspicion level: +9999999999

I attempt to change my password, but I am thwarted by my inability to log in (see above). Frustration level: +100

Find this blog post, decide the email is legit, and after multiple attempts to change my password, or use the “forgot my password” tool, I decide that my only option is the break my rule, and click the link in my email. Suspicion level: 0 Frustration level: +999999999

Now, I am going to have to explain, to friends and family, that I am the default tech support for, why it is OK, *just this once*, to click a link in an unsolicited email, and give them your password.

Beyond all that; I am concerned regarding one of the two criteria that you named, in this blog post, that might possibly cause someone to be required to change their password. Specifically, I am concerned about the criterion, “if it's commonly used.” Ideally, passwords should be stored in your database as salted hashes, with the salt being something unique in each password (just like you recommend that people use a different password for each site). If this is the case, there is no way for you to know if any given password is commonly used, since all you would know about it is that it hashed to a string of characters that looks like gibberish. I suppose that, if you are hashing the passwords, unsalted or with a static salt, you could tell if the password is common by comparing the hashes in your password database… but that also would mean that the bad-guys could do the same if that database were ever compromised… and heaven help us if the passwords are stored in plain text.

That's true; I'm not a big fan of their iOS app either. However, they released a new, redesigned version a couple weeks ago that improves look and functionality. It's still not great, but it's certainly better than it was.

I totally thought this was a phishing scheme! I was just about ready to forward it to Dropbox security when I started seeing it pop up on Twitter. dropboxmail.com? Really? For something this important?

And forcing users to change their password NOT because your storage of those passwords/hashes was compromised, but because there might be a slight chance that I reuse my DBox password on another website that *was* compromised (which I don't). Wow, I think that this action is really poor judgement on the part of the DBox team. Maybe send out an email first telling that you'd like us to consider changing our password before you just change it on us without warning.

Hey calm down buddy. Phishing emails rarely, if EVER, include the persons name in them. The fact that the email addressed you by your first name should have cast some doubt on your assumption that it was a phishing email.

Secondly, you can see the link points to dropbox.com, so there's really no cause for alarm.

Finally, I just logged into my Dropbox account using my “old” password with no issues at all. I could have ignored this email all together and I wouldn't have noticed a thing.

Really? If somebody has obtained information from a compromised system, is it really that unlikely that they will possibly have your name as well?

As for the link pointing to 'dropbox.com', this is fine if you are knowledgeable to check for that. However, less knowledgeable people may not know or think to check the true destination of the link and further more, this may well desensitize people (who don't know better) to the fact that clicking links in an email to not good practice.

2) At the time, I was using the web-based version of Exchange when I received this email. ExchangeWeb doesn't give you such a nice hover-to-see-the-link-URL; it tags that (HTML encoded) as a parameter to a link back to the exchange server.3) I find that if I choose to open my dropbox from the system tray/menu bar icon, I can get in (for now). But I would expect that will change once I reboot my system and I will need to change and reenter my pwd.

I already use a unique password for Dropbox, Because A: i'm not a moron and B: I use a password management app that makes this kind of thing trivial. But yet, because some of your users have trouble remembering their own name and go around the internet with the same password on each site, I have to reset MY password?!?

Just got the very suspicious looking email, and am now shocked to learn that it's legit. It breaks all the commonsense rules that we've all earned about not clicking on unknown links. Not at all cool, Dropbox!

Looks like I'm one of those people to whom this reset was quite irrelevant, as I changed my Dropbox password to something more unique, long, yet memorable. It /is/ annoying to have to reset that (even if I'd just change it to be the same again).

That said, I'm glad to hear that while there have been password leaks all over the internet during the recent years, Dropbox wasn't among the companies that say “We take the security of our users VERY seriously!” yet store our passwords in plain text and bite the bad publicity when those passwords are spread all over the net.

Sadly, “one pass to rule them all” is an approach a LOT of users take and whether we like it or not, the vast majority of our population is likely made of those exact idiots that people here say they aren't. Hell, I myself had three or four “main” passwords, but I've been trying to slowly kill that bad habit, what with KeePass and Dropbox making a secure and free multi-platform keychain… For the sake of all those users, I understand the step that Dropbox took and appreciate the effort, though it may have been better to simply advise all the users to change their password on their own terms instead of force-resetting them. Hopefully, the team will learn from the feedback and take that the less aggressive step in the future.

Anyway, I'm looking forward to the two-factor authentication. This is an awesome feature that I first tried with Google and if implemented properly, it will heavily improve the security of my account, making the password alone insufficient to break into it and grab all the data that I store there – something that's been rubbing me the wrong way lately when I wanted to retrieve data from a computer that didn't belong to me.

I really like Dropbox (got almost 12GB from quests, EDU and referrals there – something GDrive likely wouldn't have) and I appreciate what you guys are doing for us. Just try to be a bit less aggressive with things that may not be relevant to some of your users to avoid disruptions in their lives.

Where did you get that they store passwords in plain text? The only thing about stolen passwords they mention is that someone got a hold of an employee's password and used it to steal a document that contained user emails… nothing about compromised user passwords.

He didn't say that. He said that he was glad that DropBox was not like the companies who say that they are secure then apologize for storing passwords in plaintext after getting hacked. (I paraphrased and reworded, but kept meaning intact)

It would seem that you and I have transgressed the cardinal law of Internet arguing by admitting fallibility… We may come to know each other very well over the following months, as we endure the court cases surrounding our instigation of the implosion of the Internet.

(We both, within a minute of each other, posted an acknowledgment of being wrong to each other, in separate threads… surely the internet cannot survive this… perhaps an unwarranted ad hominem attack can reset the balance… you jackass)

Kyle, I agree with everything you said… except for the comment about the people here being the idiots we claim not to be (“…those exact idiots that people here say they aren't…”). Since DropBox forced me to change my password, I feel confident in sharing my old password: H$yx&7AwKR!N

My passwords are generated using LastPass' secure password generator. I use 12 characters of mixed case, alphanumerics & special characters. AND, I use unique passwords for each and every site. And I use YubiKey's 2 Factor Authentication everywhere I can, ESPECIALLY on my password store… That being said, I, again, agree with you on all points but that one.

For my thoughts on the other side of this issue, see my post further down the page.

Please note: Sometimes we blog about upcoming products or features before they're released, but timing and exact functionality of these features may change from what's shared here. The decision to purchase our services should be made based on features that are currently available.